From z/OS TSS STIG
Part of ITCP0060
Associated with: CCI-000764
The TCP/IP started tasks require special privileges and access to sensitive resources to provide its system services. Failure to properly define and control these TCP/IP started tasks could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.
a) Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(OMVSUSER) b) Ensure the following items are in effect for the ACID(s) assigned to the TCP/IP address space(s): 1) Named TCPIP or, in the case of multiple instances, prefixed with TCPIP. 2) Has the STC facility. 3) z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh c) Ensure the following items are in effect for the ACID assigned to the EZAZSSI started task: 1) Named EZAZSSI 2) Has the STC facility. d) If all of the items in (b) and (c) are true, there is NO FINDING. e) If any item in (b) or (c) is untrue, this is a FINDING.
Develop a plan of action to implement the required changes. Ensure the following items are in effect for the ACID(s) assigned to the TCP/IP address space(s): 1) Named TCPIP or, in the case of multiple instances, prefixed with TCPIP 2) Has the STC facility. 3) z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh Ensure the following items are in effect for the ACID assigned to the EZAZSSI started task: 1) Named EZAZSSI 2) Has the STC facility For Example: The following commands can be used to create the user accounts and assign the privileges that are required for the TCP/IP address space and the EZAZSSI started task: TSS CREATE(TCPIP) TYPE(USER) NAME(TCPIP) DEPT(existing-dept) FACILITY(STC) PASSWORD(password,0) TSS ADD(TCPIP) DFLTGRP(STCTCPX) GROUP(STCTCPX) TSS ADD(TCPIP) SOURCE(INTRDR) TSS ADD(TCPIP) UID(0) HOME(/) OMVSPGM(/bin/sh) TSS ADD(TCPIP) MASTFAC(TCP) TSS ADD(STC) PROCNAME(TCPIP) ACID(TCPIP) TSS PERMIT(TCPIP) IBMFAC(BPX.DAEMON) ACCESS(READ) TSS CREATE(EZAZSSI) TYPE(USER) NAME(EZAZSSI) DEPT(existing-dept) FACILITY(STC) PASSWORD(password,0) TSS ADD(EZAZSSI) DFLTGRP(STCTCPX) GROUP(STCTCPX) TSS ADD(EZAZSSI) SOURCE(INTRDR) TSS ADD(EZAZSSI) UID(non-zero) HOME(/) OMVSPGM(/bin/sh) TSS ADD(EZAZSSI) MASTFAC(TCP) TSS ADD(STC) PROCNAME(EZAZSSI) ACID(EZAZSSI)
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer